OpenShift GitOps Argo CD ClusterRole Reconciliation Ownership Bypass (DoS)
CVE-2026-14251 Published on July 15, 2026
Gitops-operator: gitops-operator: missing allowednamespace check in reconcilerhook for clusterrole/role cases enables potential privilege escalation and dos
A flaw was found in the OpenShift GitOps operator. The ClusterRole reconciler does not validate resource ownership when reconciling ClusterRole objects. A namespace-scoped Argo CD instance can trigger deletion of a ClusterRole owned by a cluster-scoped Argo CD instance by crafting a name collision, resulting in a denial of service.
Vulnerability Analysis
CVE-2026-14251 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Timeline
Reported to Red Hat.
Made public. 53 days later.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-14251 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-14251
Want to know whenever a new CVE is published for Red Hat Openshift Gitops? stack.watch will email you.